Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-y786-mwkd-u7ha
Vulnerability ID VCID-y786-mwkd-u7ha
Aliases CVE-2024-22190
GHSA-2mqj-m65w-jghx
PYSEC-2024-4
Summary GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-426 Untrusted Search Path
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00353 https://api.first.org/data/v1/epss?cve=CVE-2024-22190
epss 0.00353 https://api.first.org/data/v1/epss?cve=CVE-2024-22190
epss 0.00353 https://api.first.org/data/v1/epss?cve=CVE-2024-22190
epss 0.00353 https://api.first.org/data/v1/epss?cve=CVE-2024-22190
epss 0.00353 https://api.first.org/data/v1/epss?cve=CVE-2024-22190
epss 0.00353 https://api.first.org/data/v1/epss?cve=CVE-2024-22190
epss 0.00353 https://api.first.org/data/v1/epss?cve=CVE-2024-22190
epss 0.00353 https://api.first.org/data/v1/epss?cve=CVE-2024-22190
epss 0.00353 https://api.first.org/data/v1/epss?cve=CVE-2024-22190
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-2mqj-m65w-jghx
cvssv3.1 7.8 https://github.com/gitpython-developers/GitPython
cvssv4 8.6 https://github.com/gitpython-developers/GitPython
generic_textual HIGH https://github.com/gitpython-developers/GitPython
cvssv3.1 7.8 https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f
cvssv4 8.6 https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f
generic_textual HIGH https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f
ssvc Track* https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f
cvssv3.1 7.8 https://github.com/gitpython-developers/GitPython/pull/1792
cvssv4 8.6 https://github.com/gitpython-developers/GitPython/pull/1792
generic_textual HIGH https://github.com/gitpython-developers/GitPython/pull/1792
ssvc Track* https://github.com/gitpython-developers/GitPython/pull/1792
cvssv3.1 7.8 https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
cvssv3.1_qr HIGH https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
cvssv4 8.6 https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
generic_textual HIGH https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
ssvc Track* https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
cvssv3.1 7.8 https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml
cvssv4 8.6 https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml
cvssv3.1 7.8 https://nvd.nist.gov/vuln/detail/CVE-2024-22190
cvssv4 8.6 https://nvd.nist.gov/vuln/detail/CVE-2024-22190
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2024-22190
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-22190
https://github.com/gitpython-developers/GitPython
https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f
https://github.com/gitpython-developers/GitPython/pull/1792
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml
https://nvd.nist.gov/vuln/detail/CVE-2024-22190
GHSA-2mqj-m65w-jghx https://github.com/advisories/GHSA-2mqj-m65w-jghx
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/gitpython-developers/GitPython
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/gitpython-developers/GitPython
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-25T18:06:43Z/ Found at https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/gitpython-developers/GitPython/pull/1792
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/gitpython-developers/GitPython/pull/1792
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-25T18:06:43Z/ Found at https://github.com/gitpython-developers/GitPython/pull/1792
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-25T18:06:43Z/ Found at https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-22190
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-22190
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.57703
EPSS Score 0.00353
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:49:11.195280+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/gitpython/PYSEC-2024-4.yaml 38.0.0